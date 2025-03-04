The HHS Office for Civil Rights is responsible for enforcing HIPAA rules. A core part of OCR's enforcement responsibilities is evaluating every HIPAA complaint filed to the department and reaching a resolution for each case.

Any individual who believes that their health information privacy rights were violated by a HIPAA-covered entity can file a complaint with OCR. However, OCR will only take action on complaints involving incidents that occurred in the past six years, are filed against a HIPAA-covered entity or business associate and are filed within 180 days of when the complainant reasonably knew about the alleged violation.

HHS data shows that OCR has received more than 374,000 HIPAA complaints from April 2003 to October 2024, and has resolved 99% of those cases. Understanding how OCR evaluates and investigates HIPAA complaints can help covered entities understand top compliance challenges and proactively address them.

Understanding the HIPAA complaint resolution process When OCR receives a HIPAA complaint, it goes through an intake process to determine how to proceed. In some cases -- 15,561 to date -- OCR finds that no violation occurred, and the case is resolved. In just 2,419 cases in OCR's HIPAA enforcement history, the office has referred cases to the Department of Justice to handle criminal investigations. Such a referral might occur if a covered entity knowingly disclosed or obtained protected health information in violation of HIPAA. In many other cases, OCR provides technical assistance to covered entities and their business associates, without having to launch a formal investigation. Alternatively, OCR might reach a settlement agreement that requires the covered entity to commit to corrective actions to rectify security and privacy failures. To date, in more than 255,000 cases, OCR has determined that the complaint was not eligible for enforcement due to its timing or OCR's jurisdiction. As such, only a handful of cases (152) have resulted in OCR imposing civil money penalties. At an HHS conference held in October 2024, OCR leaders stressed that many of the office's cases end in OCR providing technical assistance -- rather than seeking out financial penalties -- in an effort to help covered entities rather than punishing them. While OCR will continue to enforce HIPAA to its fullest extent, it typically attempts to resolve cases through voluntary compliance, corrective action and resolution agreements, resorting to monetary penalties "if the covered entity does not take action to resolve the matter in a way that is satisfactory." Considering this, specific enforcement data can help covered entities understand the most common HIPAA violations and the factors that have historically led to OCR enforcement actions and fines.